in.telnetd

Roger Gonzalez rg at msel.unh.edu
Mon Apr 1 03:54:55 AEST 1991


In article <14471 at life.ai.mit.edu> fidelio at geech.gnu.ai.mit.edu (Rob J. Nauta) writes:
>About three weeks ago I wrote a program that listens along with in.telnetd
>and manages to read the username and password by using some tricks.
>I sent the program to SUN and CERT, who have rushed out new versions
>for SunOS. But apart from a 'we have received your mail and will forward it
>to someone' absolutely no news, mail, nothing about this.
>So, I want to know, what's up ? Has anyone heard anything ?
>
>Greetings, Rob

I got a notification from CERT about it and patches were put in uunet's
sun-dist directory, among ather places.  This brought to light one of my
chief beefs about CERT: they just say that there is a hole, and where to
get something to fix it.  I get queasy when CERT says "quick - go
replace your in.telnetd" without any explaination of where the hole is. 
To get on the CERT mailing list, you're supposed to be root at a site,
but I see CERT bulletins posted all over the net! What's the point in
having a semi-secure list to find out about security holes when all you
get is a watered down alert that gets posted -everywhere-?

Harumph.
-- 
"The question of whether a computer can think is no more interesting
 than the question of whether a submarine can swim" - Edsgar W. Dijkstra 
rg@[msel|unhd].unh.edu        |  UNH Marine Systems Engineering Laboratory
r_gonzalez at unhh.bitnet        |  Durham, NH  03824-3525



More information about the Comp.unix.internals mailing list